[nginx] Mail: Auth-SSL-Protocol and Auth-SSL-Cipher headers (ticket #2134).
Maxim Dounin
mdounin at mdounin.ru
Tue Aug 17 22:26:58 UTC 2021
details: https://hg.nginx.org/nginx/rev/13d0c1d26d47
branches:
changeset: 7905:13d0c1d26d47
user: Rob Mueller <robm at fastmail.fm>
date: Fri Aug 13 03:57:47 2021 -0400
description:
Mail: Auth-SSL-Protocol and Auth-SSL-Cipher headers (ticket #2134).
This adds new Auth-SSL-Protocol and Auth-SSL-Cipher headers to
the mail proxy auth protocol when SSL is enabled.
This can be useful for detecting users using older clients that
negotiate old ciphers when you want to upgrade to newer
TLS versions of remove suppport for old and insecure ciphers.
You can use your auth backend to notify these users before the
upgrade that they either need to upgrade their client software
or contact your support team to work out an upgrade path.
diffstat:
src/mail/ngx_mail_auth_http_module.c | 41 ++++++++++++++++++++++++++++++++++-
1 files changed, 39 insertions(+), 2 deletions(-)
diffs (72 lines):
diff -r 419c066cb710 -r 13d0c1d26d47 src/mail/ngx_mail_auth_http_module.c
--- a/src/mail/ngx_mail_auth_http_module.c Mon Aug 16 22:40:31 2021 +0300
+++ b/src/mail/ngx_mail_auth_http_module.c Fri Aug 13 03:57:47 2021 -0400
@@ -1137,8 +1137,8 @@ ngx_mail_auth_http_create_request(ngx_ma
ngx_str_t login, passwd;
ngx_connection_t *c;
#if (NGX_MAIL_SSL)
- ngx_str_t verify, subject, issuer, serial, fingerprint,
- raw_cert, cert;
+ ngx_str_t protocol, cipher, verify, subject, issuer,
+ serial, fingerprint, raw_cert, cert;
ngx_mail_ssl_conf_t *sslcf;
#endif
ngx_mail_core_srv_conf_t *cscf;
@@ -1155,6 +1155,25 @@ ngx_mail_auth_http_create_request(ngx_ma
#if (NGX_MAIL_SSL)
+ if (c->ssl) {
+
+ if (ngx_ssl_get_protocol(c, pool, &protocol) != NGX_OK) {
+ return NULL;
+ }
+
+ protocol.len = ngx_strlen(protocol.data);
+
+ if (ngx_ssl_get_cipher_name(c, pool, &cipher) != NGX_OK) {
+ return NULL;
+ }
+
+ cipher.len = ngx_strlen(cipher.data);
+
+ } else {
+ ngx_str_null(&protocol);
+ ngx_str_null(&cipher);
+ }
+
sslcf = ngx_mail_get_module_srv_conf(s, ngx_mail_ssl_module);
if (c->ssl && sslcf->verify) {
@@ -1252,6 +1271,10 @@ ngx_mail_auth_http_create_request(ngx_ma
if (c->ssl) {
len += sizeof("Auth-SSL: on" CRLF) - 1
+ + sizeof("Auth-SSL-Protocol: ") - 1 + protocol.len
+ + sizeof(CRLF) - 1
+ + sizeof("Auth-SSL-Cipher: ") - 1 + cipher.len
+ + sizeof(CRLF) - 1
+ sizeof("Auth-SSL-Verify: ") - 1 + verify.len
+ sizeof(CRLF) - 1
+ sizeof("Auth-SSL-Subject: ") - 1 + subject.len
@@ -1373,6 +1396,20 @@ ngx_mail_auth_http_create_request(ngx_ma
b->last = ngx_cpymem(b->last, "Auth-SSL: on" CRLF,
sizeof("Auth-SSL: on" CRLF) - 1);
+ if (protocol.len) {
+ b->last = ngx_cpymem(b->last, "Auth-SSL-Protocol: ",
+ sizeof("Auth-SSL-Protocol: ") - 1);
+ b->last = ngx_copy(b->last, protocol.data, protocol.len);
+ *b->last++ = CR; *b->last++ = LF;
+ }
+
+ if (cipher.len) {
+ b->last = ngx_cpymem(b->last, "Auth-SSL-Cipher: ",
+ sizeof("Auth-SSL-Cipher: ") - 1);
+ b->last = ngx_copy(b->last, cipher.data, cipher.len);
+ *b->last++ = CR; *b->last++ = LF;
+ }
+
if (verify.len) {
b->last = ngx_cpymem(b->last, "Auth-SSL-Verify: ",
sizeof("Auth-SSL-Verify: ") - 1);
More information about the nginx-devel
mailing list